Visitors sometimes feel bored with our web blog because of too many boring stuffs which not often appear in their casual work/study. I just want to post such a simple tutorial for beginners and if you are experienced in CTF's pwn then just skip it. Enjoy!

Assuming there are 20 employees in a company, and if each employee has his or her own copy of the secret key then it is hard to assure on individuals due to compromise and machine break down. In the other hand, if there is a valid signature requires all 20 employees’ signature in the company then it will be very secure but not be easy to use. Therefore we can implement a scheme which requires only sign 5 or more out of 20 employees then it will be valid and that is exactly what a (5,20) threshold signature scheme tries to achieve. In addition, if a threat agent wants to compromise the system and obtain a message, he must compromise at least 5 people in the scheme and that is a harder thing to do compared to a traditional public scheme.

The given ciphertext has only letters without space, punctuation or separated key, there are two classic cipher systems such as substitution cipher and transposition cipher which are known to be easy to attack by using frequency analysis or bruteforce techniques. Continue reading Deciphering Ceasar basic concept→

I'm too lazy to write up in deep these challenges, but i will give you my solution to solve these challenges. You will do it by yourself before you read my exploit script, that makes you understand deeper. I hope you enjoy with this. Happy pwnning.

WWTV

The bug is easy to find at function Coordidate, this is basic format string bug

But before you enter printf(s), we must to bypass the check a pair float number is parsed from s, to bypass it we just append format string bug to the end of the pair '51.492137,-0.192878' , for more information about atof read this http://www.cplusplus.com/reference/cstdlib/atof/

So the payload to exploit this bug too easy:

First, we need to leak binary base address, and libc address

Second, calc system address and then overwrite atof got by system address and then pwned.

But the game is not over, before we exploit the bug, we need to solve 2 problems:

We must to write a program to solve the game to enter TARDIS mode (this task is to quite strange)

We must bypass timecheck to enter vulnerable function

time_c > 0x55592B6C && time_c <= 0x55592B7F;

We must set time_c in range (0x55592b6c,0x55592b7f].

Take a look at READ_DATA function , will be triggered after 2 second.

OMG, the buffer was used for saving the connection to localtime server was used to store user input. We just send 9 zero bytes to server and then wait until READ_DATA is triggered and then send 4 bytes in require range, and we will enter vulnerable function.

CyberGrandSandbox

This program implementing basic Polish Notation by using JIT compiler.

The structure of jit is:

Take a look at function handle_digit

When we inputted a string of number is seperated by space character , the jit compiter will push it in the stack_buffer.

We know that size of stack_buf is 0x1000 (located below stack_code), in this function there are no unbound checking if we push the stack_buf into stack_code, and so this bug does.

We just write own shellcode and then overwrite some opcode in the end of asm_code with own shellcode (because cgc executable is not have sys_execve syscall so we just use some syscall provided by CGC to read the flag).

Intrestingly enough, even though it was not expected, Chintu found a cool website to play with, though he can't get the flag. Can you? Visit this. Submit the SHA-256 hash of the flag obtained.

Gaylord : At first, (str (all-ns)) to get all namespaces. And then (clojure.repl/dir noname.people.admin) to see what inside. There is including flag and secret. Used (noname.people.admin/flag) to get the a half of the flag.

Chuymichxinhdep: However secret is a private variable variable, I used ((noname.people.admin/secret)) to obtain the other half of the flag. Problem solved.